high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | June 2005 (3.94) |
| Protection available since | 1 March 2005 05:40:12 (GMT) |
| Last updated | 12 April 2005 08:38:43 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
If you are running Sophos Anti-Virus for Windows, version 6.0, you should follow our instructions for removing worms.
If you use any of our other products for Windows NT/2000/XP/2003 and Windows 95/98/Me you will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
For all other platforms, please follow our instructions for removing worms.
More Information
W32/Mytob-C is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit.
The worm will attempt to harvest email addresses from the local hard disk by scanning files with extensions WAB, PL, ADB, TBB, DBX, ASP, PHP, SHTL and HTM. W32/Mytob-C is a mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the LSASS (MS04-011) exploit.
When first run the worm copies itself to the Windows system folder as wfdmgr.exe and creates the following registry entries so as to auto-start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LSA
wfdmgr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
LSA
wfdmgr.exe
HKLM\Software\Microsoft\OLE
LSA
wfdmgr.exe
HKLM\System\CurrentControlSet\Control\Lsa
LSA
wfdmgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
LSA
wfdmgr.exe
HKCU\Software\Microsoft\OLE
LSA
wfdmgr.exe
HKCU\System\CurrentControlSet\Control\Lsa
LSA
wfdmgr.exe
The worm will attempt to harvest email addresses from the local hard disk by scanning files with extensions WAB, PL, ADB, TBB, DBX, ASP, PHP, SHTL and HTM.
Emails sent by W32/Mytob-C have the following layout:
Subject line chosen from:
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Message text chosen from:
This is a multi-part message in MIME format.
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attached filename chosen from the following with an extension chosen from (bat cmd exe scr pif zip):
message
test
data
file
text
doc
readme
document
|
